From 0392b07008b6fa6c3174305e231db61b11fafd93 Mon Sep 17 00:00:00 2001 From: KiekerJan Date: Mon, 18 Apr 2022 21:16:21 +0200 Subject: [PATCH] updates on nginx security headers --- conf/nginx-primaryonly.conf | 2 ++ conf/nginx/security.conf | 5 ----- management/web_update.py | 7 ++++++- setup/web.sh | 2 -- 4 files changed, 8 insertions(+), 8 deletions(-) delete mode 100644 conf/nginx/security.conf diff --git a/conf/nginx-primaryonly.conf b/conf/nginx-primaryonly.conf index d50e5c3c..915d45eb 100644 --- a/conf/nginx-primaryonly.conf +++ b/conf/nginx-primaryonly.conf @@ -36,6 +36,8 @@ add_header X-Frame-Options "DENY"; add_header X-Content-Type-Options nosniff; add_header Content-Security-Policy "frame-ancestors 'none';"; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Referrer-Policy "strict-origin"; } # Nextcloud configuration. diff --git a/conf/nginx/security.conf b/conf/nginx/security.conf deleted file mode 100644 index fb871805..00000000 --- a/conf/nginx/security.conf +++ /dev/null @@ -1,5 +0,0 @@ -add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; -add_header X-Frame-Options "SAMEORIGIN"; -add_header X-Content-Type-Options nosniff; -add_header Content-Security-Policy-Report-Only "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;frame-ancestors 'self'"; -add_header Referrer-Policy "strict-origin"; diff --git a/management/web_update.py b/management/web_update.py index 73ec4157..a22f8ed4 100644 --- a/management/web_update.py +++ b/management/web_update.py @@ -211,9 +211,14 @@ def make_domain_config(domain, templates, ssl_certificates, env): # Add the HSTS header. if hsts == "yes": - nginx_conf_extra += "\tadd_header Strict-Transport-Security \"max-age=31536000\" always;\n" + nginx_conf_extra += "\tadd_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always;\n" elif hsts == "preload": nginx_conf_extra += "\tadd_header Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\" always;\n" + + nginx_conf_extra += "\tadd_header X-Frame-Options \"SAMEORIGIN\" always;\n" + nginx_conf_extra += "\tadd_header X-Content-Type-Options nosniff;\n" + nginx_conf_extra += "\tadd_header Content-Security-Policy \"default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;frame-ancestors 'self'\";\n" + nginx_conf_extra += "\tadd_header Referrer-Policy \"strict-origin\";\n" # Add in any user customizations in the includes/ folder. nginx_conf_custom_include = os.path.join(env["STORAGE_ROOT"], "www", safe_domain_name(domain) + ".conf") diff --git a/setup/web.sh b/setup/web.sh index 12133fe2..3a8fc81b 100755 --- a/setup/web.sh +++ b/setup/web.sh @@ -156,8 +156,6 @@ if [ ! -f /etc/nginx/conf.d/10-geoblock.conf ]; then cp -f conf/nginx/conf.d/10-geoblock.conf /etc/nginx/conf.d/ fi -cp -f conf/nginx/security.conf /etc/nginx/sites-enabled/ - # touch logfiles that might not exist touch /var/log/nginx/geoipblock.log chown www-data /var/log/nginx/geoipblock.log